Discussed herein is technology for verifiable network configuration repair. A method can include adding a routing adjacency or route redistribution edge to a router of an aETG to generate an enhanced aETG (eaETG), adding, for each dETG of dETGs, static route edges to a destination of the dETG to generate an enhanced dETG (edETG), determining, for each of the edETGs, all simple paths from all sources to the destination of the edETG, determining a set of paths (pathtset) over the determined simple paths that satisfies the policies, and translating the edge additions and/or removals in the eaETG and in the edETGs to an addition and/or removal of one or more of a routing adjacency, routing filter, or static route based on the determined pathset.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A network configuration repair apparatus, the apparatus comprising: memory with policies, extended topology graphs (ETGs) including an all ETG (aETG), and destination ETGs (dETGs) for each policy destination in the policies, stored thereon; and processing circuitry configured to: add a routing adjacency or route redistribution edge to a router of the aETG to generate an enhanced aETG (eaETG); add, for each dETG of the dETGs, static route edges to the destination of the dETG to generate an enhanced dETG (edETG); determine, for each of the edETGs, all simple paths from all sources to the destination of the edETG; determine a set of paths (pathtset) over the determined simple paths that satisfies the policies; and translate the edge additions and/or removals in the eaETG and in the edETGs to an addition and/or removal of one or more of a routing adjacency, routing filter, or static route based on the determined pathset.
2. The apparatus of claim 1 , wherein the processing circuitry is configured to mark as virtual the added routing adjacency or route redistribution edge of the eaETG.
3. The apparatus of claim 2 , wherein the processing circuitry is configured to mark as virtual the added static route edges of the edETG.
4. The apparatus of claim 3 , wherein the processing circuitry is configured to add, to the edETG, endpoint vertexes for all sources that are part of the desired policies, whether allowed or not allowed, to communicate with the destination corresponding to the edETG.
5. The apparatus of claim 4 , wherein the processing circuitry is configured to mark edges of the edETG that correspond to blocked traffic according to the policies, as blocked.
6. The apparatus of claim 5 , wherein the processing circuitry is configured to remove, from each edETG, static route vertexes and edges for all other destinations but the destination corresponding to edETG.
7. The apparatus of claim 1 , wherein determining the pathtset over the determined simple paths that satisfies the policies includes encoding such that an edge appears in at most one of the k paths that satisfy a k-reachable policy of the policies.
8. The apparatus of claim 7 , wherein encoding further includes encoding using a hard constraint and a soft constraint on blocked traffic such that only if all control plane paths cannot be blocked, then block the traffic at a corresponding data plane.
9. The apparatus of claim 8 , wherein the processing circuitry is configured to remove edges not in the resulting pathset from the edETG, and generate a traffic class ETG (tcETG) for each traffic class, and alter the tcETG by adding or removing one or more edges.
10. The apparatus of claim 9 , wherein the added or removed one or more edges in tcETG are translated to addition or removal of respective access control lists (ACLs).
11. A computer-implemented method for network configuration repair, the method comprising: adding a routing adjacency or route redistribution edge to a router of an aETG to generate an enhanced aETG (eaETG); adding, for each dETG of dETGs, static route edges to a destination of the dETG to generate an enhanced dETG (edETG); determining, for each of the edETGs, all simple paths from all sources to the destination of the edETG; determining a set of paths (pathtset) over the determined simple paths that satisfies the policies; and translating the edge additions and/or removals in the eaETG and in the edETGs to an addition and/or removal of one or more of a routing adjacency, routing filter, or static route based on the determined pathset.
12. The method of claim 11 , further comprising marking as virtual the added routing adjacency or route redistribution edge of the eaETG.
13. The method of claim 12 , further comprising marking as virtual the added static route edges of the edETG.
14. The method of claim 13 , further comprising adding, to the edETG, endpoint vertexes for all sources that are part of the desired policies, whether allowed or not allowed, to communicate with the destination corresponding to the edETG.
15. The method of claim 14 , further comprising marking edges of the edETG that correspond to blocked traffic according to the policies, as blocked.
16. A non-transitory machine-readable medium including instructions that, when executed by a machine, cause the machine to perform operations for network reconfiguration or repair, the operations comprising: adding a routing adjacency or route redistribution edge to a router of an aETG to generate an enhanced aETG (eaETG); adding, for each dETG of dETGs, static route edges to a destination of the dETG to generate an enhanced dETG (edETG); determining, for each of the edETGs, all simple paths from all sources to the destination of the edETG; determining a set of paths (pathtset) over the determined simple paths that satisfies the policies; and translating the edge additions and/or removals in the eaETG and in the edETGs to an addition and/or removal of one or more of a routing adjacency, routing filter, or static route based on the determined pathset.
17. The non-transitory machine-readable medium of claim 16 , wherein the operations further include removing, from each edETG, static route vertexes and edges for all other destinations but the destination corresponding to edETG.
18. The non-transitory machine-readable medium of claim 16 , wherein determining the pathtset over the determined simple paths that satisfies the policies includes encoding such that an edge appears in at most one of the k paths that satisfy a k-reachable policy of the policies.
19. The non-transitory machine-readable medium of claim 18 , wherein encoding further includes encoding using a hard constraint and a soft constraint on blocked traffic such that only if all control plane paths cannot be blocked, then block the traffic at a corresponding data plane.
20. The non-transitory machine-readable medium of claim 19 , wherein the operations further include: removing edges not in the resulting pathset from the edETG, and generate a traffic class ETG (tcETG) for each traffic class, and alter the tcETG by adding or removing one or more edges, wherein the added or removed one or more edges in tcETG are translated to addition or removal of respective access control lists (ACLs).
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
July 22, 2019
February 16, 2021
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.